SkillCloak Packing Beats Every Tested AI Scanner

Get the Tech newsletter
Daily tech — startups, AI labs, chips, the launches that shape the next decade. Free.
- HKUST researchers published the paper "Cloak and Detonate," showing that pre-installation scanners for AI coding-agent "skills" — small packages loaded by agents like Claude Code, OpenAI Codex, and OpenClaw — can be fooled by simple obfuscation that leaves the malware fully functional.
- SKILLCLOAK's self-extracting packing hides payloads in scanner-skipped directories like .git/ behind a harmless-looking decoder, and across eight scanners and 1,613 real malicious skills from ClawHub it evaded each of the eight more than 90% of the time and more than 99% on most of them.
- The lighter SKILLCLOAK technique — character swaps and split commands — cleared more than 80% on most scanners and 96% on one, and cloaked skills performed just as well as originals on Claude Code and OpenAI Codex.
- SKILLDETONATE, a runtime checker the same team built, caught 97% of attacks with a 2% false-positive rate by tracking sensitive data by where it flows at the OS level; against real-world malicious skills it caught 87%, beating every static scanner tested.
- Cisco's scanner, the strongest static option tested, caught 99% of real-world malicious skills before cloaking but only about 10% after — illustrating how pre-scan defenses degrade under packing.
- Real-world marketplace data backs up the gap: Bitdefender found roughly 17% of skills on one marketplace carried hidden malicious code, and Koi Security counted 341 malicious skills (later 824) in its "ClawHavoc" campaign on ClawHub.
Why it matters: The trust gate for AI-agent add-on skills has to move from pre-installation scans to runtime behavior monitoring, since cloaked payloads evade every tested scanner and unpack only when the agent executes — and because the same one skill runs with the agent's full access to a user's files, terminal, and saved passwords.



